Windows Password Policy

Password Policy

Passwords have long been the bane of security because passwords are so incompatible with the human element; the better the harder it is to remember. Passwords are easy to share and often easy to guess if users are left to themselves to choose their own. The password policies in Windows reflect 2 main theories for mitigating the human element risks that arise with passwords. Based on the assumption that users sooner or later will share their password or someone will guess it or discover it from a sticky note on the monitor, it’s widely assumed you should force users to regularly change their password to keep it a moving target and thus constantly close the window of opportunity for a compromised password to be exploited.

Policy Scope

All of the settings in this section apply either to domain accounts in Active Directory or local accounts on member servers. See the article "Account Policies Explained" at the upper level.

Passwords as moving targets

Therefore Windows provides a Maximum password age policy which forces users to change their password, say, every 90 days. Of course users being the human they are, many users who are rather satisfied with their current password simply say “Oh yeah?” and change their password from “raiders” to “raiders” – no misprint.

To force users to actually select a new password when Maximum password age is reached, Windows provides the Enforce password history which allows detect users trying to re-use a password over the course of a specified number of password changes.

Of course users still being the humans they are, I’ve observed logs showing recalcitrant users that repeated change their password in immediate succession sufficient times to make Windows forget their favorite password and thus after a few minutes of effort they are back to “raiders”.

That’s why Windows provides Minimum password age with which you can slow down those repeat password changers and discourage their attempts to defeat Enforce password history.
Password composition

It still amazes me how even in this age of awareness of privacy, identity theft and hacking that people still pick such simple, easy to guess passwords. Windows provides 2 policies that help you at least try to get users to pick better quality passwords. The 2 accepted ways to make passwords hard to guess is length and character variety. Minimum password length allows you to requires users select passwords that are at least X characters long even if it’s just 1234567 or aaaaaaa. To coax users into actually varying characters within that minimum length you can use Password must meet complexity requirements.

If you require custom password composition controls you can take advantage of an extensibility feature Windows called notification packages. A notification package is a simple DLL, written by you or an ISV and installed on domain controllers, which Windows calls down into whenever a user changes their password. Your DLL is supplied with the user’s name and proposed new password and after implementing custom evaluation logic you answer back TRUE or FALSE according to whether the password meets your custom criteria for what’s acceptable.

In my opinion there are a lot of myths about and effort wasted on passwords. I’ll add more comments in the future but here’s a quick punch list:

Password cracking isn’t that big a deal. It used to be because in the NT days it was relatively easy to easily crackable password hashes from the SAM or sniff challenge/responses from the network. It isn’t that easy any more for up-to-date networks. Rainbow tables, yada yada. Don’t let them steal the password hash in the first place.

Requiring password complexity is better than nothing. Yeah, yeah I’ve heard all the arguments about requiring complex passwords such as: 1) it results in predictable patterns 2) it encourages users to write the password down 3) with rainbow tables even “complex” passwords are instantly cracked. Security academics will find weaknesses in any control but at the end of the day we are in business to do business, not to be secure in the academic sense and I’m here to tell you that “Password1” is better than “password”.

You can configure human behavior. No matter how many settings you add to an OS you can’t force users select and remember great quality passwords but by actually engaging the humans you might be able effect the behavior you desire. This takes a multi-pronged approach that includes security awareness, training in password selection and memory methods and appropriate feedback to both cooperative and uncooperative users. Above all you need management backing; without that stop worrying and go home to your wife and kids.

Bottom line

Don’t configure these policies in isolation from each other. In fact, all the policies under Account Policies should be viewed holistically. If you are forced by organization dynamics to weaken one aspect of authentication controls you can compensate with stricter controls elsewhere within Account Policies.